chore(deps): update dependency aqua:gohugoio/hugo to v0.160.1

[renovate]

This PR contains the following updates:

Package	Update	Change
aqua:gohugoio/hugo	minor	0.159.1 → 0.160.1

---

Release Notes

gohugoio/hugo (aqua:gohugoio/hugo)

v0.160.1

Compare Source

What's Changed

• Fix panic when passthrough elements are used in headings 8b00030 @​bep #​14677
• Fix panic on edit of legacy mapped template names that's also a valid path in the new setup c485516 @​bep #​14740
• Fix RenderShortcodes leaking context markers when indented 161d0d4 @​bep #​12457
• Strip nested page context markers from standalone RenderShortcodes 45e4596 @​bep #​14732
• Rename deprecated cascade._target to cascade.target in tests 58927aa @​bep
• Fix auto-creation of root sections in multilingual sites ce009e3 @​bep #​14681
• readme: Fix links 0755872 @​chicks-net

v0.160.0

Compare Source

Now you can inject CSS vars, e.g. from the configuration, into your stylesheets when building with css.Build. Also, now all the render hooks has a .Position method, now also more accurate and effective.

Bug fixes

• Fix some recently introduced Position issues 4e91e14 @​bep #​14710
• markup/goldmark: Fix double-escaping of ampersands in link URLs dc9b51d @​bep #​14715
• tpl: Fix stray quotes from partial decorator in script context 43aad71 @​bep #​14711

Improvements

• all: Replace NewIntegrationTestBuilder with Test/TestE/TestRunning 481baa0 @​bep
• tpl/css: Support @​import "hugo:vars" for CSS custom properties in css.Build 5d09b5e @​bep #​14699
• Improve and extend .Position handling in Goldmark render hooks 303e443 @​bep #​14663
• markup/goldmark: Clean up test 638262c @​bep

Dependency Updates

• build(deps): bump github.com/magefile/mage from 1.16.1 to 1.17.1 bf6e35a @​dependabot[bot]
• build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 0eda24e @​dependabot[bot]
• build(deps): bump golang.org/x/image from 0.37.0 to 0.38.0 beb57a6 @​dependabot[bot]

Documentation

• readme: Revise edition descriptions and installation instructions 9f1f1be @​jmooring

v0.159.2

Compare Source

Note that the security fix below is not a potential threat if you either:

• Trust your Markdown content files.
• Have custom render hook template for links and images.

EDIT IN: This release also adds release archives for non-extended-withdeploy builds.

What's Changed

• Fix potential content XSS by escaping dangerous URLs in Markdown links and images 479fe6c @​bep
• resources/page: Fix shared reader in Source.ValueAsOpenReadSeekCloser df520e3 @​jmooring #​14684

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

This update spans three minor releases (v0.159.2, v0.160.0, v0.160.1) with the following key changes:

v0.160.1 (Latest)

• Bug fixes for edge cases: panic when passthrough elements are used in headings, panic on edit of legacy mapped template names, RenderShortcodes leaking context markers
• Fix for auto-creation of root sections in multilingual sites
• Documentation improvements (README link fixes)

v0.160.0

• New feature: CSS vars injection support via @import "hugo:vars" in css.Build function
• Improvement: .Position method now available on all render hooks with better accuracy
• Bug fixes: Position handling improvements, double-escaping of ampersands in link URLs, stray quotes from partial decorator in script context
• Dependency updates: mage, go-jose, golang.org/x/image

v0.159.2

• Security fix: XSS vulnerability patched by escaping dangerous URLs in Markdown links and images (only affects sites without custom render hook templates)
• Bug fix: shared reader issue in Source.ValueAsOpenReadSeekCloser

Breaking Changes: None identified across all three releases.

🎯 Impact Scope Investigation

Hugo Usage in Codebase:

• Hugo version managed via mise.toml: Currently 0.159.1 → updating to 0.160.1
• Build command: hugo build --gc --minify --cacheDir (in .github/workflows/hugo.yaml)
• No custom render hooks found (no files in layouts/_default/_markup/)
• No CSS build usage detected (no css.Build function calls in templates)
• No .Position method usage in existing templates
• No shortcode usage, passthrough elements, or cascade._target patterns found

Template Analysis:

• layouts/_default/single.html: Uses standard Hugo template functions (.Title, .Description, .Content, .Params, urls.Parse)
• layouts/_default/list.html: Uses standard pagination and list rendering
• Custom CSS in assets/css/extended/references.css: Static CSS with CSS variables (not using css.Build)

Content Structure:

• Japanese tech blog posts with frontmatter (date, title, description, tags, references)
• No advanced markdown features that would trigger the fixed edge cases

💡 Recommended Actions

No action required beyond merging - this is a safe, backward-compatible update:

1. ✅ Merge the PR - All changes are backward compatible and provide bug fixes + security improvements
2. ✅ No code modifications needed - The codebase doesn't use the new features or encounter the fixed edge cases
3. ✅ Security benefit - v0.159.2 includes an XSS fix (though this site is protected since content files are trusted and controlled)
4. ✅ CI will validate - The existing GitHub Actions workflow will verify the build still works

Optional future enhancements (not required for this update):

• Consider using the new CSS vars feature (@import "hugo:vars") if you need to inject configuration values into stylesheets
• If you add custom render hooks in the future, they'll benefit from the improved .Position method

🔗 Reference Links

• Hugo v0.160.1 Release Notes
• Hugo v0.160.0 Release Notes
• Hugo v0.159.2 Release Notes (Security Fix)
• Hugo css.Build Documentation
• Hugo Render Hooks Documentation

Generated by koki-develop/claude-renovate-review